CPANSA-DB-20260129.001/0000755000000000000000000000000015136727344012222 5ustar rootrootCPANSA-DB-20260129.001/t/0000755000000000000000000000000015136727344012465 5ustar rootrootCPANSA-DB-20260129.001/t/test_manifest0000644000000000000000000000003415136727313015246 0ustar rootrootload.t pod.t pod_coverage.t CPANSA-DB-20260129.001/t/pod_coverage.t0000644000000000000000000000024115136727313015300 0ustar rootrootuse Test::More; eval "use Test::Pod::Coverage 1.00"; plan skip_all => "Test::Pod::Coverage 1.00 required for testing POD coverage" if $@; all_pod_coverage_ok(); CPANSA-DB-20260129.001/t/pod.t0000644000000000000000000000020115136727313013421 0ustar rootrootuse Test::More; eval "use Test::Pod 1.00"; plan skip_all => "Test::Pod 1.00 required for testing POD" if $@; all_pod_files_ok(); CPANSA-DB-20260129.001/t/yamllint.config0000644000000000000000000000016515136727313015503 0ustar rootrootrules: line-length: max: 120 allow-non-breakable-words: true allow-non-breakable-inline-mappings: true CPANSA-DB-20260129.001/t/load.t0000644000000000000000000000026415136727313013567 0ustar rootrootmy @classes = qw( CPANSA::DB ); use Test::More; foreach my $class ( @classes ) { BAIL_OUT( "Bail out! $class did not compile\n" ) unless use_ok( $class ); } done_testing(); CPANSA-DB-20260129.001/LICENSE0000644000000000000000000002156115136727312013227 0ustar rootrootArtistic License 2.0 Copyright (c) 2000-2006, The Perl Foundation. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble ******** This license establishes the terms under which a given free software Package may be copied, modified, distributed, and/or redistributed. The intent is that the Copyright Holder maintains some artistic control over the development of that Package while still keeping the Package available as open source and free software. You are always permitted to make arrangements wholly outside of this license directly with the Copyright Holder of a given Package. If the terms of this license do not permit the full use that you propose to make of the Package, you should contact the Copyright Holder and seek a different licensing arrangement. Definitions *********** "Copyright Holder" means the individual(s) or organization(s) named in the copyright notice for the entire Package. "Contributor" means any party that has contributed code or other material to the Package, in accordance with the Copyright Holder's procedures. "You" and "your" means any person who would like to copy, distribute, or modify the Package. "Package" means the collection of files distributed by the Copyright Holder, and derivatives of that collection and/or of those files. A given Package may consist of either the Standard Version, or a Modified Version. "Distribute" means providing a copy of the Package or making it accessible to anyone else, or in the case of a company or organization, to others outside of your company or organization. "Distributor Fee" means any fee that you charge for Distributing this Package or providing support for this Package to another party. It does not mean licensing fees. "Standard Version" refers to the Package if it has not been modified, or has been modified only in ways explicitly requested by the Copyright Holder. "Modified Version" means the Package, if it has been changed, and such changes were not explicitly requested by the Copyright Holder. "Original License" means this Artistic License as Distributed with the Standard Version of the Package, in its current version or as it may be modified by The Perl Foundation in the future. "Source" form means the source code, documentation source, and configuration files for the Package. "Compiled" form means the compiled bytecode, object code, binary, or any other form resulting from mechanical transformation or translation of the Source form. Permission for Use and Modification Without Distribution ******************************************************** (1) You are permitted to use the Standard Version and create and use Modified Versions for any purpose without restriction, provided that you do not Distribute the Modified Version. Permissions for Redistribution of the Standard Version ****************************************************** (2) You may Distribute verbatim copies of the Source form of the Standard Version of this Package in any medium without restriction, either gratis or for a Distributor Fee, provided that you duplicate all of the original copyright notices and associated disclaimers. At your discretion, such verbatim copies may or may not include a Compiled form of the Package. (3) You may apply any bug fixes, portability changes, and other modifications made available from the Copyright Holder. The resulting Package will still be considered the Standard Version, and as such will be subject to the Original License. Distribution of Modified Versions of the Package as Source ********************************************************** (4) You may Distribute your Modified Version as Source (either gratis or for a Distributor Fee, and with or without a Compiled form of the Modified Version) provided that you clearly document how it differs from the Standard Version, including, but not limited to, documenting any non-standard features, executables, or modules, and provided that you do at least ONE of the following: (a) make the Modified Version available to the Copyright Holder of the Standard Version, under the Original License, so that the Copyright Holder may include your modifications in the Standard Version. (b) ensure that installation of your Modified Version does not prevent the user installing or running the Standard Version. In addition, the Modified Version must bear a name that is different from the name of the Standard Version. (c) allow anyone who receives a copy of the Modified Version to make the Source form of the Modified Version available to others under (i) the Original License or (ii) a license that permits the licensee to freely copy, modify and redistribute the Modified Version using the same licensing terms that apply to the copy that the licensee received, and requires that the Source form of the Modified Version, and of any works derived from it, be made freely available in that license fees are prohibited but Distributor Fees are allowed. Distribution of Compiled Forms of the Standard Version or Modified ****************************************************************** Versions without the Source *************************** (5) You may Distribute Compiled forms of the Standard Version without the Source, provided that you include complete instructions on how to get the Source of the Standard Version. Such instructions must be valid at the time of your distribution. If these instructions, at any time while you are carrying out such distribution, become invalid, you must provide new instructions on demand or cease further distribution. If you provide valid instructions or cease distribution within thirty days after you become aware that the instructions are invalid, then you do not forfeit any of your rights under this license. (6) You may Distribute a Modified Version in Compiled form without the Source, provided that you comply with Section 4 with respect to the Source of the Modified Version. Aggregating or Linking the Package ********************************** (7) You may aggregate the Package (either the Standard Version or Modified Version) with other packages and Distribute the resulting aggregation provided that you do not charge a licensing fee for the Package. Distributor Fees are permitted, and licensing fees for other components in the aggregation are permitted. The terms of this license apply to the use and Distribution of the Standard or Modified Versions as included in the aggregation. (8) You are permitted to link Modified and Standard Versions with other works, to embed the Package in a larger work of your own, or to build stand-alone binary or bytecode versions of applications that include the Package, and Distribute the result without restriction, provided the result does not expose a direct interface to the Package. Items That are Not Considered Part of a Modified Version ******************************************************** (9) Works (including, but not limited to, modules and scripts) that merely extend or make use of the Package, do not, by themselves, cause the Package to be a Modified Version. In addition, such works are not considered parts of the Package itself, and are not subject to the terms of this license. General Provisions ****************** (10) Any use, modification, and distribution of the Standard or Modified Versions is governed by this Artistic License. By using, modifying or distributing the Package, you accept this license. Do not use, modify, or distribute the Package, if you do not accept this license. (11) If your Modified Version has been derived from a Modified Version made by someone other than you, you are nevertheless required to ensure that your Modified Version complies with the requirements of this license. (12) This license does not grant you the right to use any trademark, service mark, tradename, or logo of the Copyright Holder. (13) This license includes the non-exclusive, worldwide, free-of-charge patent license to make, have made, use, offer to sell, sell, import and otherwise transfer the Package with respect to any patent claims licensable by the Copyright Holder that are necessarily infringed by the Package. If you institute patent litigation (including a cross-claim or counterclaim) against any party alleging that the Package constitutes direct or contributory patent infringement, then this Artistic License to you shall terminate on the date that such litigation is filed. (14) Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. CPANSA-DB-20260129.001/GPG_README.md0000644000000000000000000000526415136727312014200 0ustar rootroot## Import the keys I have two keys, a personal one and a project one, on *keys.openpgp.org*. At the end of this doc is a pic of me holding up these keys handwritten on a notepad. If you need more trust than that, get in touch. % gpg --keyserver keys.openpgp.org --recv-keys 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041 867D53B08E433DF401A06EF49A9C0FE7F64876BF If you trust these signatures, sign them with your own key. This way you avoid a local warning about verifying files with untrusted keys. Likewise, if you do not trust these keys and want to tolerate the warning, don't sign them: % gpg --sign-key 867D53B08E433DF401A06EF49A9C0FE7F64876BF % gpg --sign-key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041 ## Verify the database I've started to sign lib/CPAN/Audit/DB.pm with [a GPG key I made for this module](https://keys.openpgp.org/vks/v1/by-fingerprint/75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041). The file *lib/CPAN/Audit/DB.pm.gpg* is the detached signature for *lib/CPAN/Audit/DB.pm*. % gpg --verify lib/CPAN/Audit/DB.pm.gpg lib/CPAN/Audit/DB.pm You may get a warning like: > gpg: WARNING: This key is not certified with a trusted signature! That means you didn't sign the keys, so your local GPG is reminding you that you don't trust them even if it can still verify the signatures. ## Help others trust CPAN::Audit We can enhance this trust for *lib/CPAN/Audit/DB.pm* by including more trust in the key that signs that data. You can do this by signing the key to say that you trust it. You can sign my personal and my CPAN::Audit key with your key: % gpg --keyserver keys.openpgp.org --recv-keys 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041 867D53B08E433DF401A06EF49A9C0FE7F64876BF % gpg --sign-key 867D53B08E433DF401A06EF49A9C0FE7F64876BF % gpg --sign-key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041 % gpg --output ~/pobox.signed.gpg --export --armor 867D53B08E433DF401A06EF49A9C0FE7F64876BF % gpg --output ~/bdfoy.signed.gpg --export --armor 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041 Then send those output files back to me at *briandfoy@pobox.com*, or some other channel that you'd like to use. I will import them into my keyring and re-export my key to the keyserver so other people will see that you signed the key. ## Github Actions When I push to Github, the "gpg" workflow checks that the files signed in the repo have the right signatures. ## The selfie Here's a selfie with me holding up the two key fingerprints (google images of me to see if you think this is the same person). For the more cautious (not a bad thing here), we can arrange a way to verify that these keys belong to me and you are sending them to the right place. ![](images/briandfoy-gpg-key-selfie.jpeg) CPANSA-DB-20260129.001/lib/0000755000000000000000000000000015136727344012770 5ustar rootrootCPANSA-DB-20260129.001/lib/CPANSA/0000755000000000000000000000000015136727344013735 5ustar rootrootCPANSA-DB-20260129.001/lib/CPANSA/DB.pod0000644000000000000000000000430015136727313014717 0ustar rootroot# created by util/generate at Thu Jan 29 18:37:46 2026 # https://github.com/briandfoy/cpan-security-advisory.git 135217d593c71dec75d368d1c56d78f25979ceeb =encoding utf8 =head1 NAME CPANSA::DB - the CPAN Security Advisory data as a Perl data structure, mostly for CPAN::Audit =head1 SYNOPSIS This module is primarily used by L. use CPANSA::DB; my $db = CPANSA::DB->db; =head1 DESCRIPTION The C subroutine returns the CPAN Security Advisory (CPANSA) reports as a Perl data structure. However, anything can use this. Each release also comes with a F<.gpg> file that has the signature for the file. If you cannot confirm that the module file has the right signature, it might have been corrupted or modified. This module is available outside of CPAN as a release on GitHub: L. Each release on GitHub includes an attestation. There is also a JSON file that provides the same datastructure. =head2 Subroutines There is exactly one subroutine: =over 4 =item * db Returns the hashref of all the CPANSA reports. =back =head1 VERIFYING This distribution now uses L, which allow you to verify that the archive file you have was made from the official repo. You need a GitHub account and the L. # download the distro file from GitHub, MetaCPAN, or a CPAN mirror $ gh auth login ...follow instructions... $ gh attestation verify CPANSA-DB-20241111.tar.gz --owner briandfoy Additionally, each release codes with GPG signature that allows you to verify that this. The key is the same one used when the database was distributed with L: $ gpg --verify lib/CPANSA/DB.pm.gpg lib/CPANSA/DB.pm gpg: Signature made Mon Nov 18 11:00:10 2024 EST gpg: using RSA key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041 gpg: Good signature from "CPAN::Audit (brian d foy) (https://github.com/briandfoy/cpan-audit) " [ultimate] =head1 SEE ALSO Everything is managed in GitHub: =over 4 =item * L =back =cut CPANSA-DB-20260129.001/lib/CPANSA/DB.pm0000644000000000000000001373261515136727313014576 0ustar rootroot# created by util/generate at Thu Jan 29 18:37:46 2026 # https://github.com/briandfoy/cpan-security-advisory.git 135217d593c71dec75d368d1c56d78f25979ceeb =encoding utf8 =head1 NAME CPANSA::DB - the CPAN Security Advisory data as a Perl data structure, mostly for CPAN::Audit =head1 SYNOPSIS This module is primarily used by L. use CPANSA::DB; my $db = CPANSA::DB->db; =head1 DESCRIPTION The C subroutine returns the CPAN Security Advisory (CPANSA) reports as a Perl data structure. However, anything can use this. Each release also comes with a F<.gpg> file that has the signature for the file. If you cannot confirm that the module file has the right signature, it might have been corrupted or modified. This module is available outside of CPAN as a release on GitHub: L. Each release on GitHub includes an attestation. There is also a JSON file that provides the same datastructure. =head2 Subroutines There is exactly one subroutine: =over 4 =item * db Returns the hashref of all the CPANSA reports. =back =head1 VERIFYING This distribution now uses L, which allow you to verify that the archive file you have was made from the official repo. You need a GitHub account and the L. # download the distro file from GitHub, MetaCPAN, or a CPAN mirror $ gh auth login ...follow instructions... $ gh attestation verify CPANSA-DB-20241111.tar.gz --owner briandfoy Additionally, each release codes with GPG signature that allows you to verify that this. The key is the same one used when the database was distributed with L: $ gpg --verify lib/CPANSA/DB.pm.gpg lib/CPANSA/DB.pm gpg: Signature made Mon Nov 18 11:00:10 2024 EST gpg: using RSA key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041 gpg: Good signature from "CPAN::Audit (brian d foy) (https://github.com/briandfoy/cpan-audit) " [ultimate] =head1 SEE ALSO Everything is managed in GitHub: =over 4 =item * L =back =cut package CPANSA::DB; use strict; use warnings; our $VERSION = '20260129.001'; sub db { {"dists" => {"ActivePerl" => {"advisories" => [{"affected_versions" => ["=5.16.1.1601"],"cves" => ["CVE-2012-5377"],"darkpan" => "true","description" => "Untrusted search path vulnerability in the installation functionality in ActivePerl 5.16.1.1601, when installed in the top-level C:\\ directory, allows local users to gain privileges via a Trojan horse DLL in the C:\\Perl\\Site\\bin directory, which is added to the PATH system environment variable, as demonstrated by a Trojan horse wlbsctrl.dll file used by the \"IKE and AuthIP IPsec Keying Modules\" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview.\n","distribution" => "ActivePerl","fixed_versions" => [],"id" => "CPANSA-ActivePerl-2012-5377","references" => ["https://www.htbridge.com/advisory/HTB23108","http://osvdb.org/86177"],"reported" => "2012-10-11","severity" => undef},{"affected_versions" => ["=5.8.8.817"],"cves" => ["CVE-2006-2856"],"darkpan" => "true","description" => "ActiveState ActivePerl 5.8.8.817 for Windows configures the site/lib directory with \"Users\" group permissions for changing files, which allows local users to gain privileges by creating a malicious sitecustomize.pl file in that directory. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.\n","distribution" => "ActivePerl","fixed_versions" => [],"id" => "CPANSA-ActivePerl-2006-2856","references" => ["http://secunia.com/advisories/20328","http://www.securityfocus.com/bid/18269","http://www.osvdb.org/25974","http://www.vupen.com/english/advisories/2006/2140","https://exchange.xforce.ibmcloud.com/vulnerabilities/26915"],"reported" => "2006-06-06","severity" => undef},{"affected_versions" => ["<=5.8.1"],"cves" => ["CVE-2004-2286"],"darkpan" => "true","description" => "Integer overflow in the duplication operator in ActivePerl allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large multiplier, which may trigger a buffer overflow.\n","distribution" => "ActivePerl","fixed_versions" => [],"id" => "CPANSA-ActivePerl-2004-2286","references" => ["http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0878.html","http://www.securityfocus.com/bid/10380","https://exchange.xforce.ibmcloud.com/vulnerabilities/16224"],"reported" => "2004-12-31","severity" => undef},{"affected_versions" => ["<5.10"],"cves" => ["CVE-2004-2022"],"darkpan" => "true","description" => "ActivePerl 5.8.x and others, and Larry Wall's Perl 5.6.1 and others, when running on Windows systems, allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long argument to the system command, which leads to a stack-based buffer overflow. NOTE: it is unclear whether this bug is in Perl or the OS API that is used by Perl.\n","distribution" => "ActivePerl","fixed_versions" => [],"id" => "CPANSA-ActivePerl-2004-2022","references" => ["http://www.oliverkarow.de/research/ActivePerlSystemBOF.txt","http://www.perlmonks.org/index.pl?node_id=354145","http://www.securityfocus.com/bid/10375","http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0905.html","http://marc.info/?l=full-disclosure&m=108489112131099&w=2","http://marc.info/?l=full-disclosure&m=108482796105922&w=2","http://marc.info/?l=full-disclosure&m=108483058514596&w=2","http://marc.info/?l=bugtraq&m=108489894009025&w=2","https://exchange.xforce.ibmcloud.com/vulnerabilities/16169"],"reported" => "2004-12-31","severity" => undef},{"affected_versions" => [],"cves" => ["CVE-2004-0377"],"darkpan" => "true","description" => "Buffer overflow in the win32_stat function for (1) ActiveState's ActivePerl and (2) Larry Wall's Perl before 5.8.3 allows local or remote attackers to execute arbitrary commands via filenames that end in a backslash character.\n","distribution" => "ActivePerl","fixed_versions" => [],"id" => "CPANSA-ActivePerl-2004-0377","references" => ["http://www.kb.cert.org/vuls/id/722414","http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/019794.html","http://public.activestate.com/cgi-bin/perlbrowse?patch=22552","http://www.idefense.com/application/poi/display?id=93&type=vulnerabilities","http://marc.info/?l=bugtraq&m=108118694327979&w=2","https://exchange.xforce.ibmcloud.com/vulnerabilities/15732"],"reported" => "2004-05-04","severity" => undef},{"affected_versions" => ["<=5.6.1.629"],"cves" => ["CVE-2001-0815"],"darkpan" => "true","description" => "Buffer overflow in PerlIS.dll in Activestate ActivePerl 5.6.1.629 and earlier allows remote attackers to execute arbitrary code via an HTTP request for a long filename that ends in a .pl extension.\n","distribution" => "ActivePerl","fixed_versions" => [],"id" => "CPANSA-ActivePerl-2001-0815","references" => ["http://bugs.activestate.com/show_bug.cgi?id=18062","http://www.securityfocus.com/bid/3526","http://www.osvdb.org/678","http://marc.info/?l=bugtraq&m=100583978302585&w=2","https://exchange.xforce.ibmcloud.com/vulnerabilities/7539"],"reported" => "2001-12-06","severity" => undef}],"main_module" => "","versions" => []},"Alien-FreeImage" => {"advisories" => [{"affected_versions" => [">=0.001,<=0.011"],"cves" => ["CVE-2015-0852"],"description" => "Multiple integer underflows in PluginPCX.cpp in FreeImage 3.17.0 and earlier allow remote attackers to cause a denial of service (heap memory corruption) via vectors related to the height and width of a window.\n","distribution" => "Alien-FreeImage","fixed_versions" => [],"id" => "CPANSA-Alien-FreeImage-2015-0852-freeimage","references" => ["https://github.com/kmx/alien-freeimage/issues/5","http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167766.html","http://www.openwall.com/lists/oss-security/2015/08/28/1","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797165","http://www.debian.org/security/2015/dsa-3392","http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172491.html","http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172583.html","http://www.securitytracker.com/id/1034077","http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168000.html","http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168023.html","https://security.gentoo.org/glsa/201701-68","https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"],"reported" => "2015-09-29","severity" => undef},{"affected_versions" => [">=1.000_1,<=1.001"],"cves" => ["CVE-2015-0852"],"description" => "Multiple integer underflows in PluginPCX.cpp in FreeImage 3.17.0 and earlier allow remote attackers to cause a denial of service (heap memory corruption) via vectors related to the height and width of a window.\n","distribution" => "Alien-FreeImage","fixed_versions" => [],"id" => "CPANSA-Alien-FreeImage-2015-0852-freeimage","references" => ["https://github.com/kmx/alien-freeimage/issues/5","http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167766.html","http://www.openwall.com/lists/oss-security/2015/08/28/1","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797165","http://www.debian.org/security/2015/dsa-3392","http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172491.html","http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172583.html","http://www.securitytracker.com/id/1034077","http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168000.html","http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168023.html","https://security.gentoo.org/glsa/201701-68","https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"],"reported" => "2015-09-29","severity" => undef},{"affected_versions" => [">=0.001,<=1.001"],"cves" => ["CVE-2018-25032"],"description" => "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.\n","distribution" => "Alien-FreeImage","fixed_versions" => [],"id" => "CPANSA-Alien-FreeImage-2018-25032-zlib","references" => ["https://rt.cpan.org/Ticket/Display.html?id=143579","https://www.openwall.com/lists/oss-security/2022/03/24/1","https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531","http://www.openwall.com/lists/oss-security/2022/03/25/2","http://www.openwall.com/lists/oss-security/2022/03/26/1","https://www.openwall.com/lists/oss-security/2022/03/28/1","https://github.com/madler/zlib/compare/v1.2.11...v1.2.12","https://www.openwall.com/lists/oss-security/2022/03/28/3","https://github.com/madler/zlib/issues/605","https://www.debian.org/security/2022/dsa-5111","https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/","https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html","https://support.apple.com/kb/HT213255","https://support.apple.com/kb/HT213256","https://support.apple.com/kb/HT213257","http://seclists.org/fulldisclosure/2022/May/33","http://seclists.org/fulldisclosure/2022/May/35","http://seclists.org/fulldisclosure/2022/May/38","https://security.netapp.com/advisory/ntap-20220526-0009/","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/"],"reported" => "2022-03-25","severity" => "high"}],"main_module" => "Alien::FreeImage","versions" => [{"date" => "2014-11-27T21:33:19","version" => "0.001"},{"date" => "2014-11-27T23:23:17","version" => "0.002"},{"date" => "2014-11-28T06:50:21","version" => "0.003"},{"date" => "2014-11-28T08:16:43","version" => "0.004"},{"date" => "2014-11-28T09:42:55","version" => "0.005"},{"date" => "2014-11-29T17:54:12","version" => "0.006"},{"date" => "2014-11-29T22:00:16","version" => "0.007"},{"date" => "2014-11-29T22:04:22","version" => "0.008"},{"date" => "2014-11-30T21:50:53","version" => "0.009"},{"date" => "2014-12-08T22:22:02","version" => "0.010"},{"date" => "2014-12-09T21:26:56","version" => "0.011"},{"date" => "2017-06-25T21:05:55","version" => "1.000_1"},{"date" => "2017-06-26T17:54:11","version" => "1.000_2"},{"date" => "2017-06-27T08:30:16","version" => "1.000_3"},{"date" => "2017-07-11T11:46:10","version" => "1.001"}]},"Alien-GCrypt" => {"advisories" => [{"affected_versions" => [">=1.6.2.0,<=1.6.2.1"],"cves" => ["CVE-2021-40528"],"description" => "The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.\n","distribution" => "Alien-GCrypt","fixed_versions" => [],"id" => "CPANSA-Alien-GCrypt-2021-40528-libgcrypt","references" => ["https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1","https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2","https://eprint.iacr.org/2021/923","https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=3462280f2e23e16adf3ed5176e0f2413d8861320"],"reported" => "2021-09-06","severity" => "medium"},{"affected_versions" => ["==1.6.5.0"],"cves" => ["CVE-2021-40528"],"description" => "The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.\n","distribution" => "Alien-GCrypt","fixed_versions" => [],"id" => "CPANSA-Alien-GCrypt-2021-40528-libgcrypt","references" => ["https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1","https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2","https://eprint.iacr.org/2021/923","https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=3462280f2e23e16adf3ed5176e0f2413d8861320"],"reported" => "2021-09-06","severity" => "medium"}],"main_module" => "Alien::GCrypt","versions" => [{"date" => "2014-11-19T00:20:20","version" => "1.6.2.0"},{"date" => "2014-11-21T22:25:49","version" => "1.6.2.1"},{"date" => "2016-03-11T00:00:36","version" => "1.6.5.0"}]},"Alien-OTR" => {"advisories" => [{"affected_versions" => [">=4.0.0.0,<=4.0.0.1"],"cves" => ["CVE-2016-2851"],"description" => "Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow.\n","distribution" => "Alien-OTR","fixed_versions" => [],"id" => "CPANSA-Alien-OTR-2016-2851-libotr","references" => ["https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/","http://www.debian.org/security/2016/dsa-3512","http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00021.html","https://lists.cypherpunks.ca/pipermail/otr-users/2016-March/002581.html","http://seclists.org/fulldisclosure/2016/Mar/21","http://www.securityfocus.com/bid/84285","http://www.ubuntu.com/usn/USN-2926-1","http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00030.html","https://security.gentoo.org/glsa/201701-10","https://www.exploit-db.com/exploits/39550/","http://www.securityfocus.com/archive/1/537745/100/0/threaded"],"reported" => "2016-04-07","severity" => "critical"},{"affected_versions" => ["==4.1.0.0"],"cves" => ["CVE-2016-2851"],"description" => "Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow.\n","distribution" => "Alien-OTR","fixed_versions" => [],"id" => "CPANSA-Alien-OTR-2016-2851-libotr","references" => ["https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/","http://www.debian.org/security/2016/dsa-3512","http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00021.html","https://lists.cypherpunks.ca/pipermail/otr-users/2016-March/002581.html","http://seclists.org/fulldisclosure/2016/Mar/21","http://www.securityfocus.com/bid/84285","http://www.ubuntu.com/usn/USN-2926-1","http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00030.html","https://security.gentoo.org/glsa/201701-10","https://www.exploit-db.com/exploits/39550/","http://www.securityfocus.com/archive/1/537745/100/0/threaded"],"reported" => "2016-04-07","severity" => "critical"}],"main_module" => "Alien::OTR","versions" => [{"date" => "2014-02-04T00:25:37","version" => "4.0.0.0"},{"date" => "2014-06-16T00:29:25","version" => "4.0.0.1"},{"date" => "2014-11-19T00:30:34","version" => "4.1.0.0"},{"date" => "2016-03-10T23:38:55","version" => "4.1.1.0"}]},"Alien-PCRE2" => {"advisories" => [{"affected_versions" => ["<0.016000"],"comment" => "This Alien module fetches libpcre2 sources from the network. It tries to get the latest unless you set environment variables to get a different version.\n","cves" => ["CVE-2019-20454"],"description" => "An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \\X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.\n","distribution" => "Alien-PCRE2","fixed_versions" => [">=0.016000"],"id" => "CPANSA-Alien-PCRE2-2019-20454","references" => ["https://bugs.php.net/bug.php?id=78338","https://bugs.exim.org/show_bug.cgi?id=2421","https://bugzilla.redhat.com/show_bug.cgi?id=1735494","https://vcs.pcre.org/pcre2?view=revision&revision=1092","https://security.gentoo.org/glsa/202006-16","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/OQRAHYHLRNMBTPR3KXVM27NSZP3KTOPI/"],"reported" => "2020-02-14","severity" => "high"}],"main_module" => "Alien::PCRE2","versions" => [{"date" => "2017-06-30T23:18:21","version" => "0.001000"},{"date" => "2017-07-01T02:48:02","version" => "0.002000"},{"date" => "2017-07-02T04:51:35","version" => "0.003000"},{"date" => "2017-07-02T06:53:29","version" => "0.004000"},{"date" => "2017-07-02T09:21:41","version" => "0.005000"},{"date" => "2017-07-03T01:03:23","version" => "0.006000"},{"date" => "2017-07-12T17:40:07","version" => "0.007000"},{"date" => "2017-07-13T07:43:28","version" => "0.008000"},{"date" => "2017-07-15T10:31:20","version" => "0.009000"},{"date" => "2017-07-17T04:44:54","version" => "0.010000"},{"date" => "2017-07-18T18:30:06","version" => "0.011000"},{"date" => "2017-07-19T05:07:21","version" => "0.012000"},{"date" => "2017-07-23T04:43:01","version" => "0.013000"},{"date" => "2017-11-01T02:50:14","version" => "0.014000"},{"date" => "2017-11-08T00:42:33","version" => "0.015000"},{"date" => "2022-05-08T20:22:53","version" => "0.016000"},{"date" => "2023-02-04T00:21:59","version" => "0.017000"}]},"Alien-SVN" => {"advisories" => [{"affected_versions" => [">=1.4.5.0,<=1.4.5.3"],"cves" => ["CVE-2016-8734"],"description" => "Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2016-8734-subversion","references" => ["https://subversion.apache.org/security/CVE-2016-8734-advisory.txt","https://lists.apache.org/thread.html/7798f5cda1b2a3c70db4be77694b12dec8fcc1a441b00009d44f0e09\@%3Cannounce.apache.org%3E","http://www.securitytracker.com/id/1037361","http://www.securityfocus.com/bid/94588","http://www.debian.org/security/2017/dsa-3932","https://www.oracle.com/security-alerts/cpuoct2020.html"],"reported" => "2017-10-16","severity" => "medium"},{"affected_versions" => [">=1.4.6.0,<=1.4.6.0"],"cves" => ["CVE-2016-8734"],"description" => "Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2016-8734-subversion","references" => ["https://subversion.apache.org/security/CVE-2016-8734-advisory.txt","https://lists.apache.org/thread.html/7798f5cda1b2a3c70db4be77694b12dec8fcc1a441b00009d44f0e09\@%3Cannounce.apache.org%3E","http://www.securitytracker.com/id/1037361","http://www.securityfocus.com/bid/94588","http://www.debian.org/security/2017/dsa-3932","https://www.oracle.com/security-alerts/cpuoct2020.html"],"reported" => "2017-10-16","severity" => "medium"},{"affected_versions" => [">=1.6.12.0,<=1.6.12.1"],"cves" => ["CVE-2016-8734"],"description" => "Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2016-8734-subversion","references" => ["https://subversion.apache.org/security/CVE-2016-8734-advisory.txt","https://lists.apache.org/thread.html/7798f5cda1b2a3c70db4be77694b12dec8fcc1a441b00009d44f0e09\@%3Cannounce.apache.org%3E","http://www.securitytracker.com/id/1037361","http://www.securityfocus.com/bid/94588","http://www.debian.org/security/2017/dsa-3932","https://www.oracle.com/security-alerts/cpuoct2020.html"],"reported" => "2017-10-16","severity" => "medium"},{"affected_versions" => [">=1.7.3.0,<=1.17.3.0"],"cves" => ["CVE-2016-8734"],"description" => "Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2016-8734-subversion","references" => ["https://subversion.apache.org/security/CVE-2016-8734-advisory.txt","https://lists.apache.org/thread.html/7798f5cda1b2a3c70db4be77694b12dec8fcc1a441b00009d44f0e09\@%3Cannounce.apache.org%3E","http://www.securitytracker.com/id/1037361","http://www.securityfocus.com/bid/94588","http://www.debian.org/security/2017/dsa-3932","https://www.oracle.com/security-alerts/cpuoct2020.html"],"reported" => "2017-10-16","severity" => "medium"},{"affected_versions" => [">=1.7.17.0,<=1.17.1.0"],"cves" => ["CVE-2016-8734"],"description" => "Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2016-8734-subversion","references" => ["https://subversion.apache.org/security/CVE-2016-8734-advisory.txt","https://lists.apache.org/thread.html/7798f5cda1b2a3c70db4be77694b12dec8fcc1a441b00009d44f0e09\@%3Cannounce.apache.org%3E","http://www.securitytracker.com/id/1037361","http://www.securityfocus.com/bid/94588","http://www.debian.org/security/2017/dsa-3932","https://www.oracle.com/security-alerts/cpuoct2020.html"],"reported" => "2017-10-16","severity" => "medium"},{"affected_versions" => ["==1.7.19.0"],"cves" => ["CVE-2016-8734"],"description" => "Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2016-8734-subversion","references" => ["https://subversion.apache.org/security/CVE-2016-8734-advisory.txt","https://lists.apache.org/thread.html/7798f5cda1b2a3c70db4be77694b12dec8fcc1a441b00009d44f0e09\@%3Cannounce.apache.org%3E","http://www.securitytracker.com/id/1037361","http://www.securityfocus.com/bid/94588","http://www.debian.org/security/2017/dsa-3932","https://www.oracle.com/security-alerts/cpuoct2020.html"],"reported" => "2017-10-16","severity" => "medium"},{"affected_versions" => ["==1.8.11.0"],"cves" => ["CVE-2015-0248"],"description" => "The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 through 1.7.19 and 1.8.0 through 1.8.11 allow remote attackers to cause a denial of service (assertion failure and abort) via crafted parameter combinations related to dynamically evaluated revision numbers.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2015-0248-subversion","references" => ["http://www.mandriva.com/security/advisories?name=MDVSA-2015:192","http://subversion.apache.org/security/CVE-2015-0248-advisory.txt","http://lists.opensuse.org/opensuse-updates/2015-04/msg00008.html","http://rhn.redhat.com/errata/RHSA-2015-1633.html","https://support.apple.com/HT205217","http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html","http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html","http://www.securityfocus.com/bid/74260","http://rhn.redhat.com/errata/RHSA-2015-1742.html","http://www.ubuntu.com/usn/USN-2721-1","http://www.debian.org/security/2015/dsa-3231","https://security.gentoo.org/glsa/201610-05","http://www.securitytracker.com/id/1033214"],"reported" => "2015-04-08","severity" => undef},{"affected_versions" => ["==1.8.11.0"],"cves" => ["CVE-2015-0251"],"description" => "The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2015-0251-subversion","references" => ["http://subversion.apache.org/security/CVE-2015-0251-advisory.txt","http://www.mandriva.com/security/advisories?name=MDVSA-2015:192","http://lists.opensuse.org/opensuse-updates/2015-04/msg00008.html","http://rhn.redhat.com/errata/RHSA-2015-1633.html","https://support.apple.com/HT205217","http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html","http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html","http://www.securityfocus.com/bid/74259","http://rhn.redhat.com/errata/RHSA-2015-1742.html","http://www.ubuntu.com/usn/USN-2721-1","http://seclists.org/fulldisclosure/2015/Jun/32","http://www.debian.org/security/2015/dsa-3231","https://security.gentoo.org/glsa/201610-05","http://www.securitytracker.com/id/1033214"],"reported" => "2015-04-08","severity" => undef},{"affected_versions" => [">=1.4.5.0,<=1.4.5.3"],"cves" => ["CVE-2017-9800"],"description" => "A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2017-9800-svn","references" => ["https://subversion.apache.org/security/CVE-2017-9800-advisory.txt","https://lists.apache.org/thread.html/cb607dc2f13bab9769147759ddccb14a4f9d8e5cdcad5e99c0d03b63\@%3Cannounce.apache.org%3E","http://www.securitytracker.com/id/1039127","http://www.securityfocus.com/bid/100259","https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-08-11-933099891.html","http://packetstormsecurity.com/files/143722/Apache-Subversion-Arbitrary-Code-Execution.html","https://security.gentoo.org/glsa/201709-09","https://support.apple.com/HT208103","http://www.debian.org/security/2017/dsa-3932","https://access.redhat.com/errata/RHSA-2017:2480","http://www.securityfocus.com/archive/1/540999/100/0/threaded","https://lists.apache.org/thread.html/d8cf53affd700dfce90bad4968fb8b1dfb69cf7c443052c70398ff76\@%3Ccommits.subversion.apache.org%3E","https://www.oracle.com/security-alerts/cpuoct2020.html"],"reported" => "2017-08-11","severity" => "critical"},{"affected_versions" => ["==1.4.6.0"],"cves" => ["CVE-2017-9800"],"description" => "A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2017-9800-svn","references" => ["https://subversion.apache.org/security/CVE-2017-9800-advisory.txt","https://lists.apache.org/thread.html/cb607dc2f13bab9769147759ddccb14a4f9d8e5cdcad5e99c0d03b63\@%3Cannounce.apache.org%3E","http://www.securitytracker.com/id/1039127","http://www.securityfocus.com/bid/100259","https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-08-11-933099891.html","http://packetstormsecurity.com/files/143722/Apache-Subversion-Arbitrary-Code-Execution.html","https://security.gentoo.org/glsa/201709-09","https://support.apple.com/HT208103","http://www.debian.org/security/2017/dsa-3932","https://access.redhat.com/errata/RHSA-2017:2480","http://www.securityfocus.com/archive/1/540999/100/0/threaded","https://lists.apache.org/thread.html/d8cf53affd700dfce90bad4968fb8b1dfb69cf7c443052c70398ff76\@%3Ccommits.subversion.apache.org%3E","https://www.oracle.com/security-alerts/cpuoct2020.html"],"reported" => "2017-08-11","severity" => "critical"},{"affected_versions" => [">=1.6.12.0,<=1.6.12.1"],"cves" => ["CVE-2017-9800"],"description" => "A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2017-9800-svn","references" => ["https://subversion.apache.org/security/CVE-2017-9800-advisory.txt","https://lists.apache.org/thread.html/cb607dc2f13bab9769147759ddccb14a4f9d8e5cdcad5e99c0d03b63\@%3Cannounce.apache.org%3E","http://www.securitytracker.com/id/1039127","http://www.securityfocus.com/bid/100259","https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-08-11-933099891.html","http://packetstormsecurity.com/files/143722/Apache-Subversion-Arbitrary-Code-Execution.html","https://security.gentoo.org/glsa/201709-09","https://support.apple.com/HT208103","http://www.debian.org/security/2017/dsa-3932","https://access.redhat.com/errata/RHSA-2017:2480","http://www.securityfocus.com/archive/1/540999/100/0/threaded","https://lists.apache.org/thread.html/d8cf53affd700dfce90bad4968fb8b1dfb69cf7c443052c70398ff76\@%3Ccommits.subversion.apache.org%3E","https://www.oracle.com/security-alerts/cpuoct2020.html"],"reported" => "2017-08-11","severity" => "critical"},{"affected_versions" => [">=1.7.17.0,<=1.7.17.1"],"cves" => ["CVE-2017-9800"],"description" => "A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2017-9800-svn","references" => ["https://subversion.apache.org/security/CVE-2017-9800-advisory.txt","https://lists.apache.org/thread.html/cb607dc2f13bab9769147759ddccb14a4f9d8e5cdcad5e99c0d03b63\@%3Cannounce.apache.org%3E","http://www.securitytracker.com/id/1039127","http://www.securityfocus.com/bid/100259","https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-08-11-933099891.html","http://packetstormsecurity.com/files/143722/Apache-Subversion-Arbitrary-Code-Execution.html","https://security.gentoo.org/glsa/201709-09","https://support.apple.com/HT208103","http://www.debian.org/security/2017/dsa-3932","https://access.redhat.com/errata/RHSA-2017:2480","http://www.securityfocus.com/archive/1/540999/100/0/threaded","https://lists.apache.org/thread.html/d8cf53affd700dfce90bad4968fb8b1dfb69cf7c443052c70398ff76\@%3Ccommits.subversion.apache.org%3E","https://www.oracle.com/security-alerts/cpuoct2020.html"],"reported" => "2017-08-11","severity" => "critical"},{"affected_versions" => ["==1.7.19.0"],"cves" => ["CVE-2017-9800"],"description" => "A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2017-9800-svn","references" => ["https://subversion.apache.org/security/CVE-2017-9800-advisory.txt","https://lists.apache.org/thread.html/cb607dc2f13bab9769147759ddccb14a4f9d8e5cdcad5e99c0d03b63\@%3Cannounce.apache.org%3E","http://www.securitytracker.com/id/1039127","http://www.securityfocus.com/bid/100259","https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-08-11-933099891.html","http://packetstormsecurity.com/files/143722/Apache-Subversion-Arbitrary-Code-Execution.html","https://security.gentoo.org/glsa/201709-09","https://support.apple.com/HT208103","http://www.debian.org/security/2017/dsa-3932","https://access.redhat.com/errata/RHSA-2017:2480","http://www.securityfocus.com/archive/1/540999/100/0/threaded","https://lists.apache.org/thread.html/d8cf53affd700dfce90bad4968fb8b1dfb69cf7c443052c70398ff76\@%3Ccommits.subversion.apache.org%3E","https://www.oracle.com/security-alerts/cpuoct2020.html"],"reported" => "2017-08-11","severity" => "critical"},{"affected_versions" => [">=1.7.3.0,<=1.7.3.1"],"cves" => ["CVE-2017-9800"],"description" => "A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2017-9800-svn","references" => ["https://subversion.apache.org/security/CVE-2017-9800-advisory.txt","https://lists.apache.org/thread.html/cb607dc2f13bab9769147759ddccb14a4f9d8e5cdcad5e99c0d03b63\@%3Cannounce.apache.org%3E","http://www.securitytracker.com/id/1039127","http://www.securityfocus.com/bid/100259","https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-08-11-933099891.html","http://packetstormsecurity.com/files/143722/Apache-Subversion-Arbitrary-Code-Execution.html","https://security.gentoo.org/glsa/201709-09","https://support.apple.com/HT208103","http://www.debian.org/security/2017/dsa-3932","https://access.redhat.com/errata/RHSA-2017:2480","http://www.securityfocus.com/archive/1/540999/100/0/threaded","https://lists.apache.org/thread.html/d8cf53affd700dfce90bad4968fb8b1dfb69cf7c443052c70398ff76\@%3Ccommits.subversion.apache.org%3E","https://www.oracle.com/security-alerts/cpuoct2020.html"],"reported" => "2017-08-11","severity" => "critical"},{"affected_versions" => ["==1.8.11.0"],"cves" => ["CVE-2017-9800"],"description" => "A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.\n","distribution" => "Alien-SVN","fixed_versions" => [],"id" => "CPANSA-Alien-SVN-2017-9800-svn","references" => ["https://subversion.apache.org/security/CVE-2017-9800-advisory.txt","https://lists.apache.org/thread.html/cb607dc2f13bab9769147759ddccb14a4f9d8e5cdcad5e99c0d03b63\@%3Cannounce.apache.org%3E","http://www.securitytracker.com/id/1039127","http://www.securityfocus.com/bid/100259","https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-08-11-933099891.html","http://packetstormsecurity.com/files/143722/Apache-Subversion-Arbitrary-Code-Execution.html","https://security.gentoo.org/glsa/201709-09","https://support.apple.com/HT208103","http://www.debian.org/security/2017/dsa-3932","https://access.redhat.com/errata/RHSA-2017:2480","http://www.securityfocus.com/archive/1/540999/100/0/threaded","https://lists.apache.org/thread.html/d8cf53affd700dfce90bad4968fb8b1dfb69cf7c443052c70398ff76\@%3Ccommits.subversion.apache.org%3E","https://www.oracle.com/security-alerts/cpuoct2020.html"],"reported" => "2017-08-11","severity" => "critical"}],"main_module" => "Alien::SVN","versions" => [{"date" => "2007-09-12T10:21:02","version" => "1.4.5.0"},{"date" => "2007-09-21T01:13:48","version" => "1.4.5.1"},{"date" => "2007-09-21T11:45:13","version" => "1.4.5.2"},{"date" => "2007-12-26T09:04:20","version" => "1.4.5.3"},{"date" => "2007-12-27T05:34:26","version" => "1.4.6.0"},{"date" => "2010-08-18T07:45:18","version" => "v1.6.12.0"},{"date" => "2011-02-23T00:51:22","version" => "v1.6.12.1"},{"date" => "2012-03-02T00:57:20","version" => "v1.7.3.0"},{"date" => "2012-03-18T22:14:33","version" => "v1.7.3.1"},{"date" => "2014-06-12T04:08:38","version" => "v1.7.17.0"},{"date" => "2014-06-12T17:19:44","version" => "v1.7.17.1"},{"date" => "2015-01-12T23:26:41","version" => "v1.7.19.0"},{"date" => "2015-01-13T00:12:19","version" => "v1.8.11.0"}]},"Amon2-Auth-Site-LINE" => {"advisories" => [{"affected_versions" => ["<0.05"],"cves" => ["CVE-2024-57835"],"description" => "Amon2::Auth::Site::LINE uses the String::Random module\x{a0}to generate nonce values.\x{a0} String::Random\x{a0}defaults to Perl's built-in predictable\x{a0}random number generator,\x{a0}the rand() function, which is not cryptographically secure","distribution" => "Amon2-Auth-Site-LINE","fixed_versions" => [">=0.05"],"id" => "CPANSA-Amon2-Auth-Site-LINE-2024-57835","references" => ["https://metacpan.org/release/SHLOMIF/String-Random-0.32/source/lib/String/Random.pm#L377","https://metacpan.org/release/TANIGUCHI/Amon2-Auth-Site-LINE-0.04/source/lib/Amon2/Auth/Site/LINE.pm#L235","https://metacpan.org/release/TANIGUCHI/Amon2-Auth-Site-LINE-0.04/source/lib/Amon2/Auth/Site/LINE.pm#L255","https://security.metacpan.org/docs/guides/random-data-for-security.html","https://jvndb.jvn.jp/ja/contents/2025/JVNDB-2025-003449.html"],"reported" => "2025-04-05","severity" => "moderate"}],"main_module" => "Amon2::Auth::Site::LINE","versions" => [{"date" => "2020-11-21T06:34:32","version" => "0.01"},{"date" => "2020-11-23T00:05:03","version" => "0.02"},{"date" => "2020-11-25T01:33:35","version" => "0.03"},{"date" => "2020-11-26T07:04:40","version" => "0.04"},{"date" => "2025-05-20T12:14:56","version" => "0.05"}]},"Apache-ASP" => {"advisories" => [{"affected_versions" => ["<1.95"],"cves" => [],"description" => "A bug would allow a malicious user possible writing of files in the same directory as the source.asp script.\n","distribution" => "Apache-ASP","fixed_versions" => [">=1.95"],"id" => "CPANSA-Apache-ASP-2000-01","references" => ["https://metacpan.org/release/CHAMAS/Apache-ASP-2.63/source/README"],"reported" => "2000-07-10","severity" => undef}],"main_module" => "Apache::ASP","versions" => [{"date" => "1998-06-24T02:10:51","version" => "0.01"},{"date" => "1998-07-11T01:48:14","version" => "0.02"},{"date" => "1998-09-14T11:13:32","version" => "0.03"},{"date" => "1998-10-12T07:50:56","version" => "0.04"},{"date" => "1998-10-18T21:29:19","version" => "0.05"},{"date" => "1999-02-06T06:04:50","version" => "0.08"},{"date" => "1999-04-22T08:30:57","version" => "0.09"},{"date" => "1999-06-24T20:04:52","version" => "0.11"},{"date" => "1999-07-02T07:05:05","version" => "0.12"},{"date" => "1999-07-29T10:58:20","version" => "0.14"},{"date" => "1999-08-25T02:02:31","version" => "0.15"},{"date" => "1999-09-22T20:54:01","version" => "0.16"},{"date" => "1999-11-16T04:44:48","version" => "0.17"},{"date" => "2000-02-04T02:14:14","version" => "0.18"},{"date" => "2000-07-03T13:08:54","version" => "1.91"},{"date" => "2000-07-03T22:43:45","version" => "1.93"},{"date" => "2000-07-11T01:44:02","version" => "1.95"},{"date" => "2000-07-16T07:17:39","version" => "2.00"},{"date" => "2000-07-22T23:31:36","version" => "2.01"},{"date" => "2000-08-02T00:11:15","version" => "2.03"},{"date" => "2000-11-26T19:15:48","version" => "2.07"},{"date" => "2001-01-31T04:03:17","version" => "2.09"},{"date" => "2001-05-30T01:37:39","version" => "2.11"},{"date" => "2001-06-12T00:41:33","version" => "2.15"},{"date" => "2001-06-18T02:35:48","version" => "2.17"},{"date" => "2001-07-11T05:27:22","version" => "2.19"},{"date" => "2001-08-05T23:01:50","version" => "2.21"},{"date" => "2001-10-11T07:54:39","version" => "2.23"},{"date" => "2001-10-11T23:34:01","version" => "2.25"},{"date" => "2001-11-01T01:11:12","version" => "2.27"},{"date" => "2001-11-19T21:41:12","version" => "2.29"},{"date" => "2002-01-22T09:52:49","version" => "2.31"},{"date" => "2002-04-30T09:12:20","version" => "2.33"},{"date" => "2002-05-30T19:47:22","version" => "2.35"},{"date" => "2002-07-03T21:11:15","version" => "2.37"},{"date" => "2002-09-12T08:16:20","version" => "2.39"},{"date" => "2002-09-30T06:35:47","version" => "2.41"},{"date" => "2002-10-14T04:01:36","version" => "2.45"},{"date" => "2002-11-07T02:03:41","version" => "2.47"},{"date" => "2002-11-11T07:15:21","version" => "2.49"},{"date" => "2003-02-10T21:11:34","version" => "2.51"},{"date" => "2003-04-10T16:27:14","version" => "2.53"},{"date" => "2003-08-10T07:39:57","version" => "2.55"},{"date" => "2004-01-29T08:30:48","version" => "2.57"},{"date" => "2005-05-24T05:52:39","version" => "2.59"},{"date" => "2008-05-25T23:07:57","version" => "2.61"},{"date" => "2011-10-02T19:18:10","version" => "2.62"},{"date" => "2012-02-13T23:15:04","version" => "2.62"},{"date" => "2018-03-15T05:28:37","version" => "2.63"}]},"Apache-AuthCAS" => {"advisories" => [{"affected_versions" => ["<0.5"],"cves" => ["CVE-2007-6342"],"description" => "A tainted cookie could be sent by a malicious user and it would be used in an SQL query without protection against SQL injection.\n","distribution" => "Apache-AuthCAS","fixed_versions" => [">=0.5"],"id" => "CPANSA-Apache-AuthCAS-2007-01","references" => ["https://metacpan.org/changes/distribution/Apache-AuthCAS","https://cxsecurity.com/issue/WLB-2007120031"],"reported" => "2007-12-13","severity" => "high"}],"main_module" => "Apache::AuthCAS","versions" => [{"date" => "2004-09-15T19:17:43","version" => "0.1"},{"date" => "2004-09-15T20:11:40","version" => "0.2"},{"date" => "2004-10-05T22:51:50","version" => "0.3"},{"date" => "2004-10-13T00:45:52","version" => "0.4"},{"date" => "2008-03-23T23:03:16","version" => "0.5"}]},"Apache-AuthenHook" => {"advisories" => [{"affected_versions" => [">=2.00_04"],"cves" => ["CVE-2010-3845"],"description" => "libapache-authenhook-perl 2.00-04 stores usernames and passwords in plaintext in the vhost error log.\n","distribution" => "Apache-AuthenHook","fixed_versions" => [],"id" => "CPANSA-Apache-AuthenHook-2010-3845","references" => ["https://rt.cpan.org/Public/Bug/Display.html?id=62040","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599712","http://seclists.org/oss-sec/2010/q4/63"],"reported" => "2017-08-08","severity" => "critical"}],"main_module" => "Apache::AuthenHook","versions" => [{"date" => "2003-06-20T19:05:21","version" => "2.00_01"},{"date" => "2004-04-06T01:20:10","version" => "2.00_03"},{"date" => "2005-04-14T12:57:55","version" => "2.00_04"}]},"Apache-MP3" => {"advisories" => [{"affected_versions" => ["<2.15"],"cves" => [],"description" => "A security bug allowed people to bypass the AllowDownload setting.\n","distribution" => "Apache-MP3","fixed_versions" => [">=2.15"],"id" => "CPANSA-Apache-MP3-2001-01","references" => ["https://metacpan.org/dist/Apache-MP3/changes"],"reported" => "2001-01-01","severity" => undef}],"main_module" => "Apache::MP3","versions" => [{"date" => "2000-03-20T13:00:07","version" => "1.00"},{"date" => "2000-05-27T04:19:21","version" => "2.00"},{"date" => "2000-05-27T04:34:42","version" => "2.01"},{"date" => "2000-05-28T16:17:59","version" => "2.02"},{"date" => "2000-08-23T13:46:23","version" => "2.04"},{"date" => "2000-08-25T14:45:54","version" => "2.05"},{"date" => "2000-08-26T03:41:07","version" => "2.06"},{"date" => "2000-08-31T20:28:28","version" => "2.08"},{"date" => "2000-09-03T18:31:17","version" => "2.10"},{"date" => "2000-09-09T22:12:04","version" => "2.11"},{"date" => "2000-11-21T22:15:07","version" => "2.12"},{"date" => "2000-12-31T04:29:03","version" => "2.14"},{"date" => "2001-01-02T03:37:33","version" => "2.15"},{"date" => "2001-05-01T02:43:47","version" => "2.16"},{"date" => "2001-06-10T22:02:46","version" => "2.18"},{"date" => "2001-07-17T01:39:59","version" => "2.19"},{"date" => "2001-09-26T01:14:42","version" => "2.20"},{"date" => "2002-01-06T20:38:33","version" => "2.22"},{"date" => "2002-05-31T01:12:04","version" => "2.26"},{"date" => "2002-08-16T04:18:25","version" => "3.00"},{"date" => "2002-08-18T17:41:46","version" => "3.01"},{"date" => "2002-10-14T03:26:03","version" => "3.03"},{"date" => "2003-02-15T00:51:19","version" => "3.04"},{"date" => "2003-10-06T14:12:34","version" => "3.05"},{"date" => "2006-04-15T01:26:38","version" => "4.00"}]},"Apache-Session-Browseable" => {"advisories" => [{"affected_versions" => ["<1.3.6"],"cves" => ["CVE-2020-36659"],"description" => "In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.\n","distribution" => "Apache-Session-Browseable","fixed_versions" => [">=1.3.6"],"id" => "CPANSA-Apache-Session-Browseable-2020-36659","references" => ["https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/fdf393235140b293cae5578ef136055a78f3574f","https://lists.debian.org/debian-lts-announce/2023/01/msg00025.html"],"reported" => "2023-01-27","severity" => undef}],"main_module" => "Apache::Session::Browseable","versions" => [{"date" => "2009-10-31T08:09:42","version" => "0.1"},{"date" => "2009-11-01T09:10:13","version" => "0.2"},{"date" => "2009-11-01T16:21:16","version" => "0.3"},{"date" => "2010-08-16T15:26:19","version" => "0.4"},{"date" => "2010-12-06T21:08:25","version" => "0.5"},{"date" => "2010-12-08T15:45:21","version" => "0.6"},{"date" => "2012-06-24T07:14:37","version" => "0.7"},{"date" => "2012-10-13T16:15:41","version" => "0.8"},{"date" => "2013-02-28T06:05:09","version" => "0.9"},{"date" => "2013-08-28T04:42:23","version" => "1.0"},{"date" => "2013-08-30T04:47:02","version" => "1.0"},{"date" => "2013-10-20T05:39:14","version" => "v1.0.2"},{"date" => "2015-06-12T15:56:45","version" => "1.1"},{"date" => "2016-03-09T05:31:13","version" => "1.2"},{"date" => "2016-03-10T06:30:41","version" => "v1.2.1"},{"date" => "2016-04-01T11:34:51","version" => "v1.2.2"},{"date" => "2016-06-07T13:59:19","version" => "v1.2.3"},{"date" => "2017-02-19T07:34:18","version" => "v1.2.4"},{"date" => "2017-04-04T05:18:26","version" => "v1.2.5"},{"date" => "2017-09-12T09:35:30","version" => "v1.2.5"},{"date" => "2017-10-03T05:00:07","version" => "v1.2.7"},{"date" => "2017-10-03T10:42:35","version" => "v1.2.8"},{"date" => "2019-02-08T06:29:20","version" => "v1.2.9"},{"date" => "2019-02-08T09:31:22","version" => "v1.3.0"},{"date" => "2019-05-04T10:55:48","version" => "v1.3.1"},{"date" => "2019-07-04T18:30:30","version" => "v1.3.2"},{"date" => "2019-09-19T20:44:43","version" => "v1.3.3"},{"date" => "2019-11-20T19:43:04","version" => "v1.3.4"},{"date" => "2020-01-21T10:20:26","version" => "v1.3.5"},{"date" => "2020-09-04T13:23:31","version" => "v1.3.6"},{"date" => "2020-09-04T13:39:40","version" => "v1.3.7"},{"date" => "2020-09-06T21:03:06","version" => "v1.3.8"},{"date" => "2021-08-10T04:44:06","version" => "v1.3.9"},{"date" => "2022-03-08T13:51:31","version" => "v1.3.10"},{"date" => "2022-09-26T16:41:24","version" => "v1.3.11"},{"date" => "2023-07-06T10:43:25","version" => "v1.3.12"},{"date" => "2023-07-06T11:38:32","version" => "v1.3.13"},{"date" => "2024-12-19T07:59:19","version" => "v1.3.13"},{"date" => "2025-04-10T19:24:48","version" => "v1.3.15"},{"date" => "2025-04-12T10:31:56","version" => "v1.3.16"},{"date" => "2025-06-18T12:49:41","version" => "v1.3.17"},{"date" => "2025-09-23T10:46:46","version" => "v1.3.18"}]},"Apache-Session-LDAP" => {"advisories" => [{"affected_versions" => ["<0.5"],"cves" => ["CVE-2020-36658"],"description" => "In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.\n","distribution" => "Apache-Session-LDAP","fixed_versions" => [">=0.5"],"id" => "CPANSA-Apache-Session-LDAP-2020-36658","references" => ["https://github.com/LemonLDAPNG/Apache-Session-LDAP/commit/490722b71eed1ed1ab33d58c78578f23e043561f","https://lists.debian.org/debian-lts-announce/2023/01/msg00024.html"],"reported" => "2023-01-27","severity" => undef}],"main_module" => "Apache::Session::LDAP","versions" => [{"date" => "2009-04-18T17:09:10","version" => "0.01"},{"date" => "2009-04-18T19:43:50","version" => "0.02"},{"date" => "2010-12-08T15:30:51","version" => "0.1"},{"date" => "2012-06-26T04:22:47","version" => "0.2"},{"date" => "2014-10-24T12:21:07","version" => "0.2"},{"date" => "2015-06-12T15:47:40","version" => "0.4"},{"date" => "2020-09-06T13:13:20","version" => "0.2"}]},"Apache-SessionX" => {"advisories" => [{"affected_versions" => ["<2.01"],"cves" => [],"description" => "Problem in session_id validation, which allows creation of session with invalid ids.\n","distribution" => "Apache-SessionX","fixed_versions" => [">=2.01"],"id" => "CPANSA-Apache-SessionX-2005-01","references" => ["https://metacpan.org/changes/distribution/Apache-SessionX"],"reported" => "2005-11-15"}],"main_module" => "Apache::SessionX","versions" => [{"date" => "2001-11-20T15:36:53","version" => "2.00"},{"date" => "2003-03-02T14:18:57","version" => "2.00"},{"date" => "2005-11-15T05:21:49","version" => "2.01"}]},"Apache-Wyrd" => {"advisories" => [{"affected_versions" => ["<0.97"],"cves" => [],"description" => "User-submitted data cab be executed if it is displayed on a page, if the data contains a string that can be interpreted as a Wyrd.\n","distribution" => "Apache-Wyrd","fixed_versions" => [">=0.97"],"id" => "CPANSA-Apache-Wyrd-2008-01","references" => ["https://metacpan.org/dist/Apache-Wyrd/changes"],"reported" => "2008-04-14","severity" => undef}],"main_module" => "Apache::Wyrd","versions" => [{"date" => "2004-03-17T21:36:52","version" => "0.8"},{"date" => "2004-03-18T22:52:04","version" => "0.81"},{"date" => "2004-03-25T23:52:49","version" => "0.82"},{"date" => "2004-08-19T15:42:55","version" => "0.83"},{"date" => "2004-09-03T19:44:01","version" => "0.84"},{"date" => "2004-09-22T16:08:23","version" => "0.85"},{"date" => "2004-09-23T02:04:43","version" => "0.86"},{"date" => "2004-10-31T20:59:42","version" => "0.87"},{"date" => "2004-12-16T20:56:33","version" => "0.90"},{"date" => "2005-01-09T21:52:49","version" => "0.91"},{"date" => "2005-01-13T17:42:18","version" => "0.92"},{"date" => "2005-03-25T21:22:56","version" => "0.93"},{"date" => "2006-10-22T22:57:04","version" => "0.94"},{"date" => "2007-04-30T23:02:05","version" => "0.95"},{"date" => "2007-05-01T15:20:02","version" => "0.96"},{"date" => "2008-04-14T18:49:14","version" => "0.97"},{"date" => "2008-04-15T21:32:47","version" => "0.98"}]},"Apache2-AuthAny" => {"advisories" => [{"affected_versions" => [">0"],"cves" => ["CVE-2025-40933"],"description" => "Apache::AuthAny::Cookie v0.201 or earlier for Perl generates session ids insecurely. Session ids are generated using an MD5 hash of the epoch time and a call to the built-in rand function. The epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.","distribution" => "Apache2-AuthAny","fixed_versions" => [],"id" => "CPANSA-Apache2-AuthAny-2025-40933","references" => ["https://metacpan.org/release/KGOLDOV/Apache2-AuthAny-0.201/source/lib/Apache2/AuthAny/Cookie.pm"],"reported" => "2025-09-17","severity" => undef}],"main_module" => "Apache2::AuthAny","versions" => [{"date" => "2011-05-09T22:32:29","version" => "0.20"},{"date" => "2011-05-16T18:32:03","version" => "0.201"}]},"App-Context" => {"advisories" => [{"affected_versions" => [">=0.01,<=0.968"],"cves" => ["CVE-2012-6141"],"description" => "The App::Context module 0.01 through 0.968 for Perl does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via a crafted request to (1) App::Session::Cookie or (2) App::Session::HTMLHidden, which is not properly handled when it is deserialized.\n","distribution" => "App-Context","fixed_versions" => [">0.968"],"id" => "CPANSA-App-Context-2012-6141","references" => ["http://seclists.org/oss-sec/2013/q2/318","https://exchange.xforce.ibmcloud.com/vulnerabilities/84198"],"reported" => "2014-06-04","severity" => undef}],"main_module" => "App::Context","versions" => [{"date" => "2002-10-10T21:31:39","version" => "0.01"},{"date" => "2004-09-02T21:17:44","version" => "0.90"},{"date" => "2005-01-07T14:02:06","version" => "0.93"},{"date" => "2005-08-09T20:05:02","version" => "0.95"},{"date" => "2006-03-10T04:24:13","version" => "0.96"},{"date" => "2006-03-12T01:30:11","version" => "0.962"},{"date" => "2006-07-25T02:30:21","version" => "0.963"},{"date" => "2006-09-04T19:41:12","version" => "0.964"},{"date" => "2007-04-17T13:33:24","version" => "0.965"},{"date" => "2008-02-27T03:13:41","version" => "0.966"},{"date" => "2008-02-27T14:19:23","version" => "0.9661"},{"date" => "2009-09-11T14:31:52","version" => "0.967"},{"date" => "2010-06-09T21:33:19","version" => "0.968"}]},"App-Genpass" => {"advisories" => [{"affected_versions" => ["<0.2400"],"cves" => [],"description" => "App-genpass before v0.2400 generated passwords using build in rand()\n","distribution" => "App-Genpass","fixed_versions" => [">=0.2400"],"id" => "CPANSA-App-Genpass-2024-001","references" => ["https://metacpan.org/dist/App-Genpass/changes","https://github.com/xsawyerx/app-genpass/pull/5","https://github.com/briandfoy/cpan-security-advisory/issues/178"],"reported" => undef,"severity" => undef}],"main_module" => "App::Genpass","versions" => [{"date" => "2009-12-14T22:15:31","version" => "0.03"},{"date" => "2010-01-01T18:06:50","version" => "0.04"},{"date" => "2010-01-02T07:45:49","version" => "0.05"},{"date" => "2010-05-28T21:46:01","version" => "0.06"},{"date" => "2010-05-29T21:37:11","version" => "0.07"},{"date" => "2010-05-30T08:35:54","version" => "0.08"},{"date" => "2010-05-31T18:39:55","version" => "0.09"},{"date" => "2010-06-07T10:16:54","version" => "0.10"},{"date" => "2010-07-16T21:15:53","version" => "0.11"},{"date" => "2010-07-16T22:36:16","version" => "1.00"},{"date" => "2010-07-18T15:20:18","version" => "1.01"},{"date" => "2011-02-17T10:52:08","version" => "2.00"},{"date" => "2011-03-10T12:26:49","version" => "2.01"},{"date" => "2011-08-03T11:58:46","version" => "2.02"},{"date" => "2011-08-03T16:05:37","version" => "2.03"},{"date" => "2011-08-06T07:36:59","version" => "2.04"},{"date" => "2011-08-08T12:51:57","version" => "2.10"},{"date" => "2011-11-27T17:45:15","version" => "2.20"},{"date" => "2012-03-26T19:55:19","version" => "2.30"},{"date" => "2012-06-26T08:16:36","version" => "2.31"},{"date" => "2012-06-30T23:12:23","version" => "2.32"},{"date" => "2012-11-20T08:48:46","version" => "2.33"},{"date" => "2014-08-04T20:00:26","version" => "2.34"},{"date" => "2016-10-12T08:56:56","version" => "2.400"},{"date" => "2016-10-14T21:27:13","version" => "2.401"}]},"App-Github-Email" => {"advisories" => [{"affected_versions" => ["<0.3.3"],"cves" => ["CVE-2015-7686"],"description" => "Insecure dependency on Email::Address.\n","distribution" => "App-Github-Email","fixed_versions" => [">=0.3.3"],"id" => "CPANSA-App-Github-Email-2018-01","references" => ["https://metacpan.org/changes/distribution/App-Github-Email","https://github.com/faraco/App-Github-Email/commit/b7f052280d1c8ae97bdefc106ca3cbba4aea7213"],"reported" => "2018-01-20"}],"main_module" => "App::Github::Email","versions" => [{"date" => "2017-01-16T08:03:02","version" => "0.0.1"},{"date" => "2017-01-16T12:56:51","version" => "0.0.2"},{"date" => "2017-01-16T17:38:16","version" => "0.0.3"},{"date" => "2017-03-11T10:45:23","version" => "0.0.4"},{"date" => "2017-04-05T11:19:02","version" => "0.0.5"},{"date" => "2017-04-15T17:35:18","version" => "0.0.6"},{"date" => "2017-05-19T05:05:24","version" => "0.0.7"},{"date" => "2017-12-18T14:11:19","version" => "0.1.0"},{"date" => "2017-12-21T08:24:12","version" => "0.1.1"},{"date" => "2018-01-15T03:18:05","version" => "0.2.0"},{"date" => "2018-01-20T12:55:34","version" => "0.2.1"},{"date" => "2018-08-30T16:07:18","version" => "0.3.1"},{"date" => "2018-08-30T16:13:54","version" => "0.3.2"},{"date" => "2018-08-31T03:49:31","version" => "0.3.3"}]},"App-Netdisco" => {"advisories" => [{"affected_versions" => [">=2.001000_001,<=2.007000_001"],"cves" => ["CVE-2020-11022"],"description" => "In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.\n","distribution" => "App-Netdisco","fixed_versions" => [],"id" => "CPANSA-App-Netdisco-2020-11022-jquery","references" => ["https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2","https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/","https://jquery.com/upgrade-guide/3.5/","https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77","https://security.netapp.com/advisory/ntap-20200511-0006/","https://www.drupal.org/sa-core-2020-002","https://www.debian.org/security/2020/dsa-4693","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W/","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/","https://www.oracle.com/security-alerts/cpujul2020.html","http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html","https://security.gentoo.org/glsa/202007-03","http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html","https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133\@%3Ccommits.airflow.apache.org%3E","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/","https://lists.fedoraproject.org/archives/list/package-announce\@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/","https://www.oracle.com/security-alerts/cpuoct2020.html","https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67\@%3Cdev.flink.apache.org%3E","https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d\@%3Cissues.flink.apache.org%3E","http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html","https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48\@%3Cissues.flink.apache.org%3E","https://www.tenable.com/security/tns-2020-10","https://www.tenable.com/security/tns-2020-11","https://www.oracle.com/security-alerts/cpujan2021.html","https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c\@%3Cissues.flink.apache.org%3E","https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760\@%3Cissues.flink.apache.org%3E","https://www.tenable.com/security/tns-2021-02","https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html","http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html","https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2\@%3Cissues.flink.apache.org%3E","https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4\@%3Cissues.flink.apache.org%3E","https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108\@%3Cissues.flink.apache.org%3E","https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae\@%3Cissues.flink.apache.org%3E","https://www.tenable.com/security/tns-2021-10","https://www.oracle.com/security-alerts/cpuApr2021.html","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36\@%3Cissues.flink.apache.org%3E","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html"],"reported" => "2020-04-29","severity" => "medium"},{"affected_versions" => [">=2.001000_001,<=2.007000_001"],"cves" => ["CVE-2020-11023"],"description" => "In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing